Tech Talk: Knowing How Biometrics Can Be Beaten Helps You Win

Biometrics is one of the most fascinating areas of electronic security, representing both the epitome of high tech and the nadir of false authentication and vulnerability to compromise. But improvements continue to emerge, and so long as security professionals remain aware of potential issues biometrics can have a place in your access control mix.

Those of you who have been on this planet for a few decades may remember a famous 1971 television advertisement in which the question was asked, “Is it live or is it Memorex?” The challenge was to tell if a fine crystal glass was being broken with the sound of a high note coming from the original singer or a reproduction by the audiotape manufactured by Memorex. As you might expect the answer was Memorex. They were able to mimic similar results of a human voice. While this is entertaining it can be a real problem in the world of biometrics and security.

Now we step forward to 2005 and the bizarre theft of a biometrics-activated Mercedes automobile. After the thieves stole this special car and had been riding around for a while, they decided to dump the owner. Before doing so they realized they needed his biometric token, and hacked off his finger. And so began the beginning of “spoofing” biometric sensors.

The biometric industry has recently mushroomed and as popularity grows so does the opportunity for security compromise. This month we will take a look at some of the areas one should understand and compare when looking for the best biometric device/system for the application. We will look at technologies that can best detect the biometric “liveness” of the person accessing a system.

Sensor Performance Parameters

The concept is simple but challenging — deploy a sensor that enrolls a person quickly and then recognizes them accurately. Non-authorized personnel are accurately rejected from the system. Some performance guidelines are:

False Acceptance Rate (FAR) — The probability that a system will authorize a non-authorized person. This is usually expressed as a percentage of invalid inputs that are incorrectly accepted.

False Rejection Rate (FRR) — The probability that a system will reject an authorized person. This is often due to the sensor not matching the input with the person’s enrolled template. This is usually expressed as a percentage of valid inputs that are incorrectly rejected.

Crossover Error Rate (CER) — The rate at which the FRR and FAR are equal. This matching algorithm determines how close to the template the input must be for a match. This threshold value is sometimes called “sensitivity” or the Equal Error Rate (see diagram).

Speed — This is another factor of biometric devices and software that will allow time to enroll and authenticate. A few seconds difference may be of consideration when you have a large population.

Digging Into Biometric Technologies

Basic fingerprint readers look at the fingerprint pattern on the surface. An easy spoofing method is to make fingerprint dummy fingers with silicone and even gummy bears, and place on another person’s finger. Just like in some Hollywood movies, fingerprint images can even be lifted from the reader sensor surface and replicated. These are examples of a very poor liveness rating.

There can also be a problem with dirty fingers or no legible fingerprints at all. It has been reported that about 2 percent of the U.S. population does not have legible fingerprints.

One technology, known as multispectral imaging, is catching on and being used by partnering manufacturers i-Evo and Lumidigm (www.lumidigm.com/ievo-reader). These sensors capture fingerprint data below the surface of the skin so that dryness or even damaged or worn fingers create no problem for reliable reads. According to the manufacturer, this technology can even read accurately through some latex gloves.

Using multiple wavelengths of light and advanced polarization techniques, this technology extracts data from both the surface and subsurface. Using this technology has allowed i-Evo readers to have a FRR of less than 0.1 percent and a FAR of less than 0.00001 percent. This helps significantly counter liveness spoofing.

Article Topics

About the Author

Bob Dolph
Bob is currently a Security Sales & Integration "Tech Talk" columnist and a contributing technical writer. Bob installed his first DIY home intercom system at the age of 13, and formally started his technology career as a Navy communication electronics technician during the Vietnam War. He then attended the Milwaukee School of Engineering and went on to complete a Security Management program at Milwaukee Area Technical College. Since 1976, Bob has served in a variety of technical, training and project management positions with organizations such ADT, Rollins, National Guardian, Lockheed Martin, American Alarm Supply, Sonitrol and Ingersoll Rand. Early in his career, Bob started and operated his own alarm dealership. He has also served as treasurer of the Wisconsin Burglar and Fire Alarm Association and on Security Industry Association (SIA) standards committees. Bob also provides media and training consulting to the security industry.Contact Bob Dolph: [email protected]

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You'll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!